Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Posted for godivarides

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Posted for godivarides

Unread postby Piney » June 26th, 2008, 3:44 pm

Info of current problems/status:
After reinstalling Windows XP, rebooted - AVAST 4.8 antivirus performed
a system scan which ran all night, where it stopped at 70% completed to
announce finding:

Win32:Rootkitgen
TrojanGen
Monder Al

I moved those to the virus chest and continued on (no other virus
scanner found these)

Loaded on my system is: Zonealarm, Spyware Terminator, XoftSpySE and
yesterday Adaware 8.0 home edition.

Also interesting to note, when the virus kicks in, my keyboard
letters/numbers get 'sticky' they won't print. Worry now, if my system
info ie sites/login/passwords are being captured. I'm not logging into
my bank, for this reason.


Logs sent by email:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:44 AM, on 26/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g
series\Bin\hpoavn07.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Spyware Terminator\SpywareTerminator.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows
Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\MI1933~1\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.telus.net/set_region.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customi ... /*http://w
ww.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.telus.net/set_region.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {0F3FACB7-2681-4131-9E38-8169242B6B2D} -
C:\WINDOWS\system32\cbXNETKb.dll (file missing)
O2 - BHO: (no name) - {3F912E47-FCD1-46CB-AA91-AA9BDA4FEF01} -
C:\WINDOWS\system32\wvUljIxw.dll
O2 - BHO: (no name) - {56115928-FDE3-419A-9E0A-0371CCCE012A} - (no file)
O2 - BHO: (no name) - {7D3C7FA8-2270-4E6E-8758-87F33B8B3721} -
C:\WINDOWS\system32\xxyxWMFv.dll
O2 - BHO: (no name) - {8EE19CA6-B6AF-4765-AFEA-639CBBEF2768} - (no file)
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {d3c394f3-7799-d8eb-f454-d1f74fb0909b} -
{b9090bf4-7f1d-454f-be8d-99773f493c3d} -
C:\WINDOWS\system32\rbolsdby.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile -
{D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware
Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [BM470d0d1a] Rundll32.exe
"C:\WINDOWS\system32\mtqvhjys.dll",s
O4 - HKLM\..\Run: [443e3e86] rundll32.exe
"C:\WINDOWS\system32\nnnojgvr.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate]
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program
Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
(User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
(User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk =
C:\Program Files\Hewlett-Packard\AiO\hp officejet g
series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} -
C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer -
{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows
Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Attach Web page to ACT! contact -
{6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... -
{6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program
Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program
Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX
Control) -
http://dev.imagingworld.co.kr/printerhe ... rinter.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) -
http://h30155.www3.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
Utility Class) -
http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{0F7A11C3-E76A-4E31-8BC2-D85744CF4B8F}
: NameServer = 75.154.132.68,75.154.132.100
O17 -
HKLM\System\CS2\Services\Tcpip\..\{0F7A11C3-E76A-4E31-8BC2-D85744CF4B8F}
: NameServer = 75.154.132.68,75.154.132.100
O17 -
HKLM\System\CS3\Services\Tcpip\..\{0F7A11C3-E76A-4E31-8BC2-D85744CF4B8F}
: NameServer = 75.154.132.68,75.154.132.100
O20 - AppInit_DLLs: dshasrgq.dll
O20 - Winlogon Notify: xxyxWMFv - C:\WINDOWS\SYSTEM32\xxyxWMFv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft -
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software
- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program
Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dcfssvc - Eastman Kodak Company -
C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) -
Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 9759 bytes

************************************************************************
****************

Logfile of Spyware Terminator v2.2.1.433 (db:2.006.023.000)
Scan Time: 26/06/2008 10:30:55 AM length: 4017 s
Platform: WXP (5.1.0.2600)
User: Admin
Boot Mode: Normal
Scan type: Full_Spyware_Scan
Scanned Objects: 175250 (Critical:1)
Filter: No System items, No Safe items, No Invalid items

Running Processes
aawservice.exe [Lavasoft] : C:\Program
Files\Lavasoft\Ad-Aware\aawservice.exe
aswUpdSv.exe [ALWIL Software] : C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
ashServ.exe [ALWIL Software] : C:\Program Files\Alwil
Software\Avast4\ashServ.exe
dcfssvc.exe [Eastman Kodak Company] :
C:\WINDOWS\system32\drivers\dcfssvc.exe
MotiveSB.exe [TELUS] : C:\Program Files\TELUS
eCare\SmartBridge\MotiveSB.exe
sqlservr.exe [Microsoft Corporation] : C:\Program Files\Microsoft SQL
Server\MSSQL$ACT7\Binn\sqlservr.exe
InstallStub.exe [Plaxo] : C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
em_exec.exe [Logitech Inc.] : C:\Program
Files\Logitech\MouseWare\system\em_exec.exe
hpoavn07.exe [Hewlett-Packard Co.] : C:\Program
Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
ymsgr_tray.exe [Yahoo! Inc.] : C:\Program
Files\Yahoo!\Messenger\ymsgr_tray.exe
hpoevm07.exe [Hewlett-Packard Co.] : C:\Program
Files\Hewlett-Packard\AiO\Shared\Bin\hpoevm07.exe
hpOSTS07.exe [Hewlett-Packard Co.] : C:\Program
Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
vsmon.exe [Zone Labs, LLC] : C:\WINDOWS\system32\ZONELABS\vsmon.exe

Internet Settings
R - HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar =
http://home.microsoft.com/search/lobby/search.asp
R - HKLM\Software\Microsoft\Internet Explorer\Main, Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R - HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant =
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R - HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch =
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,
ProxyOverride = 127.0.0.1;localhost
R - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, Domain =
R - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony, DomainName
=

BHO
02 - BHO: - {3F912E47-FCD1-46CB-AA91-AA9BDA4FEF01} - :
C:\WINDOWS\system32\wvUljIxw.dll
02 - BHO: - {7D3C7FA8-2270-4E6E-8758-87F33B8B3721} - :
C:\WINDOWS\system32\xxyxWMFv.dll
02 - BHO: Messenger Class - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
[Yahoo! Inc.] : C:\Program Files\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE

StartUps
04 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PlaxoUpdate :
[Plaxo] : C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
04 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Yahoo! Pager :
[Yahoo! Inc.] : C:\Program Files\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Motive
SmartBridge : [TELUS] : C:\Program Files\TELUS
eCare\SmartBridge\MotiveSB.exe
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, APL : [Best
Software] : C:\Program Files\ACT\ACT FOR WIN 7\APL.EXE
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, 443e3e86 : :
C:\WINDOWS\system32\galhbfmf.dll
04 - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows,
AppInit_DLLs : : C:\WINDOWS\system32\dshasrgq.dll
04 - HKLM\System\CurrentControlSet\Control\Session Manager, BootExecute
: : C:\WINDOWS\system32\lsdelete.exe
04 - Startup: %STARTUPALL%\HPAiODevice(hp officejet g series) - 1.lnk
[Hewlett-Packard Co.] : C:\Program Files\Hewlett-Packard\AiO\hp
officejet g series\Bin\hpoavn07.exe

Shell Extensions
KodakShellExtension - {acb4a560-3606-11d3-aef4-00104bd0f92d} - [Eastman
Kodak Company] : C:\Program Files\Common
Files\Kodak\IFScore\shellext.dll
YMailShellExt Class - {5464D816-CF16-4784-B9F3-75C0DB52B499} - [Yahoo!
Inc.] : C:\Program Files\Yahoo!\Common\ymmapi.dll
My Sharing Folders - {FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} -
[Microsoft Corporation] : C:\Program Files\Windows
Live\Messenger\fsshext.8.5.1302.1018.dll
CLSID_WLMCMimeFilter - {0563DB41-F538-4B37-A92D-4659049B7766} -
[Microsoft Corporation] : C:\Program Files\Windows
Live\Mail\mailcomm.dll
- {06A2568A-CED6-4187-BB20-400B8C02BE5A} - [Microsoft Corporation] :
C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe
Windows Live Photo Gallery Import Autoplay Shim -
{00F33137-EE26-412F-8D71-F84E4C2C6625} - [Microsoft Corporation] :
C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
Windows Live Photo Gallery Viewer Shim -
{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} - [Microsoft Corporation] :
C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
Windows Live Photo Gallery Editor Shim -
{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} - [Microsoft Corporation] :
C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
Windows Live Photo Gallery Viewer Autoplay Shim -
{00F30F90-3E96-453B-AFCD-D71989ECC2C7} - [Microsoft Corporation] :
C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
ZLAVShExt Class - {D9872D13-7651-4471-9EEE-F0A00218BEBB} - [Zone Labs,
LLC] : C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll
avast - {472083B0-C522-11CF-8763-00608CC02F24} - [ALWIL Software] :
C:\Program Files\Alwil Software\Avast4\ashShell.dll
WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} - : C:\Program
Files\WinRar\rarext.dll
Outlook File Icon Extension - {0006F045-0000-0000-C000-000000000046} -
[Microsoft Corporation] : C:\Program Files\Microsoft
Office\Office10\OLKFSTUB.DLL

Shell Extecute Hooks
- {{7D3C7FA8-2270-4E6E-8758-87F33B8B3721}} - :
C:\WINDOWS\system32\xxyxWMFv.dll

Protocol Handler
- {828030A1-22C1-4009-854F-8E305202313F} - [Microsoft Corporation] :
C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
- {828030A1-22C1-4009-854F-8E305202313F} - [Microsoft Corporation] :
C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
Windows Live Mail HTML Asynchronous Pluggable Protocol Handler -
{03C514A3-1EFB-4856-9F99-10D7BE1653C0} - [Microsoft Corporation] :
C:\Program Files\Windows Live\Mail\mailcomm.dll

Services
23 - [Lavasoft] : C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
23 - [ALWIL Software] : C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
23 - [ALWIL Software] : C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
23 - [ALWIL Software] : C:\Program Files\Alwil
Software\Avast4\ashServ.exe
23 - [Macrovision Europe Ltd] : C:\WINDOWS\system32\drivers\CdaD10BA.SYS
23 - [Eastman Kodak Company] : C:\WINDOWS\system32\DRIVERS\DcCam.sys
23 - [Eastman Kodak Company] : C:\WINDOWS\system32\drivers\dcfs2k.sys
23 - [Eastman Kodak Company] : C:\WINDOWS\system32\drivers\dcfssvc.exe
23 - [DeviceGuys, Inc.] : C:\WINDOWS\system32\Drivers\DgiVecp.sys
23 - [Kaspersky Lab] : C:\WINDOWS\system32\DRIVERS\klif.sys
23 - [Logitech, Inc.] : C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys
23 - [Logitech, Inc.] : C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
23 - [Agere Systems] : C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
23 - [Zone Labs, LLC] : C:\WINDOWS\system32\ZoneLabs\srescan.sys
23 - [VIA Technologies, Inc.] : C:\WINDOWS\system32\drivers\ac97via.sys
23 - [Zone Labs, LLC] : C:\WINDOWS\system32\vsdatant.sys

Winlogon Notify
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\xxyxWMFv, DLLName : :
C:\WINDOWS\system32\xxyxWMFv.dll

Advanced Files Report
%PROGRAMFILES%\Lavasoft\Ad-Aware\aawservice.exe [Lavasoft] [Ad-Aware
Service] MD5=17067069B9A7865028C1F2E6971D0CCC SIZE=611664
%PROGRAMFILES%\Lavasoft\Ad-Aware\CEAPI.dll [Lavasoft] [CEAPI Dynamic
Link Library] MD5=4E0BC5EA2FAF42E7702F80BC69EF7EAB SIZE=804200
%PROGRAMFILES%\Lavasoft\Ad-Aware\PKArchive85u.dll [PKWARE, Inc.] [PKWARE
Archive API] MD5=46374252AFA0A37F4F7AF528F6F16B96 SIZE=907096
%PROGRAMFILES%\Alwil Software\Avast4\aswUpdSv.exe [ALWIL Software]
[avast! Antivirus] MD5=67AF5593EF8359B56DAD6F289D22494B SIZE=17272
%PROGRAMFILES%\Alwil Software\Avast4\aswCmnS.dll [ALWIL Software]
[avast! Antivirus] MD5=C20B26B1C1F9C7FF330DE50C71EA742E SIZE=192512
%PROGRAMFILES%\Alwil Software\Avast4\aswCmnOS.dll [ALWIL Software]
[avast! Antivirus] MD5=2A69D0A072A6305EBCB8FEDC31714A31 SIZE=86016
%PROGRAMFILES%\Alwil Software\Avast4\aswCmnB.dll [ALWIL Software]
[avast! Antivirus] MD5=3AA810D3408D860B9104752DF989680D SIZE=126976
%PROGRAMFILES%\Alwil Software\Avast4\ashServ.exe [ALWIL Software]
[avast! Antivirus] MD5=373BF09D372A82EA637CA9A6BC8CC8E9 SIZE=144760
%PROGRAMFILES%\Alwil Software\Avast4\aswAux.dll [ALWIL Software] [avast!
Antivirus] MD5=8E7D4DBF7B9EDEE8F77D3E7EC4C25C5F SIZE=659456
%PROGRAMFILES%\Alwil Software\Avast4\aswEngin.dll [ALWIL Software]
[avast! Antivirus] MD5=908BB9E14DB751AD895DC799AF2A5B19 SIZE=1228800
%PROGRAMFILES%\Alwil Software\Avast4\aswScan.dll [ALWIL Software]
[avast! Antivirus] MD5=1169CB343AD88073C910742BD1F7AB64 SIZE=81920
%PROGRAMFILES%\Alwil Software\Avast4\ashBase.dll [ALWIL Software]
[avast! Antivirus] MD5=6158A105DA36E4500EF002C0EEF6FC91 SIZE=225280
%PROGRAMFILES%\Alwil Software\Avast4\ashTask.dll [ALWIL Software]
[avast! Antivirus] MD5=FDF0F972ADAB3033E711323CF5CAA532 SIZE=114688
%PROGRAMFILES%\Alwil Software\Avast4\aswInteg.dll [ALWIL Software]
[avast! Antivirus] MD5=252EA98886C919A69AC7976A06CCE9C1 SIZE=22528
%PROGRAMFILES%\Alwil Software\Avast4\aswIdle.dll [ALWIL Software]
[avast! Antivirus] MD5=60497A074507B849E8ACCD63B3D74078 SIZE=10104
%PROGRAMFILES%\Alwil Software\Avast4\Aavm4h.dll [ALWIL Software] [avast!
Antivirus] MD5=EDECD8F14672A0CE1F482ABBB7062436 SIZE=221184
%PROGRAMFILES%\Alwil Software\Avast4\English\Base.dll [ALWIL Software]
[avast! Antivirus] MD5=D516859892DBB852176DF4789DE3BE4D SIZE=61440
%PROGRAMFILES%\Alwil Software\Avast4\AhResMai.dll [ALWIL Software]
[avast! Antivirus] MD5=F6DAA8972A1FE33788FA804858DAA780 SIZE=35840
%PROGRAMFILES%\Alwil Software\Avast4\ahResMes.dll [ALWIL Software]
[avast! Antivirus] MD5=A0984F76E322C2479704A9210BC36C2E SIZE=32768
%PROGRAMFILES%\Alwil Software\Avast4\AhResNS.dll [ALWIL Software]
[avast! Antivirus] MD5=505AEDC172FDFE815E3C5F5BFD27BDA7 SIZE=31744
%PROGRAMFILES%\Alwil Software\Avast4\AhResOut.dll [ALWIL Software]
[avast! Antivirus] MD5=4FD8EA106BA68A2FDC45B63612CF30FB SIZE=29696
%PROGRAMFILES%\Alwil Software\Avast4\ahResP2P.dll [ALWIL Software]
[avast! Antivirus] MD5=E921D6B3735606410FFD16CDA9E9F1AB SIZE=33280
%PROGRAMFILES%\Alwil Software\Avast4\AhResStd.dll [ALWIL Software]
[avast! Antivirus] MD5=2A150EA90C5BF491D7BA6E1B0298D53A SIZE=43008
%PROGRAMFILES%\Alwil Software\Avast4\AhResWS.dll [ALWIL Software]
[avast! Antivirus] MD5=19F4BF7E5A180CF305B6CF719FA24D61 SIZE=53248
%PROGRAMFILES%\Alwil Software\Avast4\ashSSqlt.dll [ALWIL Software]
[avast! Antivirus] MD5=FF54497E52DA613CD6EA6907239E9FA6 SIZE=233472
%PROGRAMFILES%\Alwil Software\Avast4\aswRes.dll [ALWIL Software] [avast!
Antivirus] MD5=8195C63148D31A2AEFE75E167874C6AD SIZE=147456
%COMMONFILES%\Logitech\Scrolling\LgMsgHk.dll [Logitech Inc.]
[Productivity Software Common Files]
MD5=F7FEB9FC47D2E000A4EEBDC4F0502A7B SIZE=24064
%PROGRAMFILES%\Logitech\MouseWare\System\LgWndHk.dll [Logitech Inc.]
[MouseWare] MD5=649955CFFEB01DA4F9E58BF09DBBFCA6 SIZE=6144
%PROGRAMFILES%\TELUS eCare\SmartBridge\SBHook.dll [Motive, Inc.] [TELUS
eCare] MD5=5184703A046287971A152BDA5E31CA43 SIZE=122880
%SYSDIR%\SUGW2LMK.DLL [Samsung Electronics.] [Language Monitor for
Status Monitor] MD5=2D0F4B5C0B3A74E531AB78008AAECEA3 SIZE=20622
%SYSDIR%\drivers\dcfssvc.exe [Eastman Kodak Company] [Kodak DC File
System Driver (Win32)] MD5=DD9CC789CC96358AE2033C0874EF7B36 SIZE=188987
%PROGRAMFILES%\TELUS eCare\SmartBridge\httpclient52.dll [Motive
Communications, Inc.] [Motive System]
MD5=CAF0AC94386BD20475C681A6C373764F SIZE=159744
%PROGRAMFILES%\TELUS eCare\SmartBridge\clientutil52.dll [Motive
Communications, Inc.] [Motive System]
MD5=D41BC0E2029A1D4C6D4CEB45040B5838 SIZE=282624
%PROGRAMFILES%\TELUS eCare\SmartBridge\SBRes.dll [TELUS] [TELUS eCare
SmartBridge Resources] MD5=52A2AE15F84DA445E0875BFA7E7127E4 SIZE=69632
%PROGRAMFILES%\TELUS eCare\SmartBridge\alertfilter.dll [Motive
Communications, Inc.] [Motive System]
MD5=50B4125D015686D0E2C74920787AF897 SIZE=225280
%PROGRAMFILES%\TELUS eCare\SmartBridge\libcurl.dll
MD5=D881589211360A2B06C1E11BA8E74A76 SIZE=327746
%PROGRAMFILES%\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
[Microsoft Corporation] [Microsoft SQL Server]
MD5=1251256FEFC2B00A7BD603578241F0AD SIZE=7544916
%PROGRAMFILES%\Alwil Software\Avast4\English\Lang.dll [ALWIL Software]
[avast! Antivirus] MD5=DC8E8B57F8D5403E630B657952BD7E8F SIZE=2527232
%PROGRAMFILES%\Alwil Software\Avast4\AavmRpch.dll [ALWIL Software]
[avast! Antivirus] MD5=AD1251EA8E6A1609BA7D43079E1456E4 SIZE=20480
%PROGRAMFILES%\alwil software\avast4\ahruimai.dll [ALWIL Software]
[avast! Antivirus] MD5=8A07846EB1591AA0112D1D2AB3A711E2 SIZE=65536
%PROGRAMFILES%\Alwil Software\Avast4\ashUInt.dll [ALWIL Software]
[avast! Antivirus] MD5=3F205B1F9F7D26DFA88DD848937EA152 SIZE=315392
%PROGRAMFILES%\Alwil Software\Avast4\XT1922.dll [Codejock Software]
[XTToolkit Dynamic Link Library] MD5=92ACEE03566D4B37788084D4C497E2D8
SIZE=917504
%PROGRAMFILES%\alwil software\avast4\ahruimes.dll [ALWIL Software]
[avast! Antivirus] MD5=5F29F319033A36E3AE63544EC6C1AE63 SIZE=36864
%PROGRAMFILES%\alwil software\avast4\ahruins.dll [ALWIL Software]
[avast! Antivirus] MD5=240C25A4B13639DC6814ACF2424E2030 SIZE=36864
%PROGRAMFILES%\alwil software\avast4\ahruiout.dll [ALWIL Software]
[avast! Antivirus] MD5=591592FBF8FF82F3CED3BABA4160D325 SIZE=90112
%PROGRAMFILES%\alwil software\avast4\ahruip2p.dll [ALWIL Software]
[avast! Antivirus] MD5=77B906C716C3F5FCEE9FE225A56C7BEE SIZE=22528
%PROGRAMFILES%\alwil software\avast4\ahruistd.dll [ALWIL Software]
[avast! Antivirus] MD5=722323EDD1D3FA05067DCA8A1B5C0625 SIZE=57344
%PROGRAMFILES%\alwil software\avast4\ahruiws.dll [ALWIL Software]
[avast! Antivirus] MD5=0EA99DF481E69CF1F2669FCFB7A76C01 SIZE=49152
%PROGRAMFILES%\Logitech\MouseWare\system\em_exec.exe [Logitech Inc.]
[MouseWare] MD5=7AA42B6EE677EE292C1E74055D409750 SIZE=38912
%PROGRAMFILES%\Logitech\MouseWare\system\EVENTEX.dll [Logitech Inc.]
[MouseWare] MD5=C8D6ACE87E20BA1005AF9B439D310147 SIZE=237568
%SYSDIR%\COMNCTR.dll [Logitech Inc.] [MouseWare]
MD5=DE131CF624772AD61EBD3EA2D971CFED SIZE=104960
%PROGRAMFILES%\Logitech\MouseWare\system\ccresrce.dll [Logitech Inc.]
[MouseWare] MD5=F6433B3B32F2EF5263ADBABE152E8633 SIZE=78848
%PROGRAMFILES%\Logitech\MouseWare\system\GlbResLt.dll [Logitech Inc.]
[MouseWare] MD5=3A47808D1F89F8C8EA30E204FD8D0BEE SIZE=13312
%PROGRAMFILES%\Logitech\MouseWare\System\devices.dll [Logitech Inc.]
[MouseWare] MD5=1142BC054D0DC4183F90D24A7909EF72 SIZE=136192
%PROGRAMFILES%\Logitech\MouseWare\system\ccstmglb.dll [Logitech Inc.]
[MouseWare] MD5=736221B3EBC2E32DA3EE34BBC56A69C3 SIZE=21504
%PROGRAMFILES%\Logitech\MouseWare\system\ccustom.dll [Logitech Inc.]
[MouseWare] MD5=AFDD32943DAAE0B6F633FB31C142B170 SIZE=16384
%PROGRAMFILES%\Logitech\MouseWare\system\ccmsghk.dll [Logitech Inc.]
[MouseWare] MD5=37D28FC5E8BB9C0C00CC91CF9447C96F SIZE=42496
%PROGRAMFILES%\Hewlett-Packard\AiO\hp officejet g
series\Bin\hpoavn07.exe [Hewlett-Packard Co.] [hp officejet g series]
MD5=0C284F768815000381E76898624C2E68 SIZE=151552
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpodvm07.dll
[Hewlett-Packard Co.] [hp officejet g series]
MD5=A82D00DF93686BED9A9310870E03E4E1 SIZE=225280
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpores07.dll
[Hewlett-Packard Co.] [hp officejet g series]
MD5=693145219C974762DACDD6D6A8CF387B SIZE=8253440
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpocob07.dll
[Hewlett-Packard Co.] [hp officejet g series]
MD5=49D87435C0ABDD1AAC14D176959E7823 SIZE=73728
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpodvi07.dll
[Hewlett-Packard Co.] [hp officejet g series]
MD5=E215090C1C6CCEC8DBC1250AE6AE0969 SIZE=331776
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpodvb07.dll
[Hewlett-Packard] [DevBase Module] MD5=B923B96C35776C9FFFBD157E77D66E46
SIZE=204800
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hposcn07.dll
[Hewlett-Packard Co.] [hp officejet g series]
MD5=FE859B63F0C5E93BFE456D27CA20FF79 SIZE=122880
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\ltkrn12n.dll [LEAD
Technologies, Inc.] [LEADTOOLS(r) DLL for Win32]
MD5=782B8AE034A8CF8F51FA89E986EBBFC0 SIZE=406016
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\ltfil12n.DLL [LEAD
Technologies, Inc.] [LEADTOOLS(r) DLL for Win32]
MD5=3FA4DCF0B390468C1BD58488C6B47BE3 SIZE=121344
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpodio07.dll
[Hewlett-Packard Co.] [hp officejet g series]
MD5=87DE98634397611925D0A709A71216C1 SIZE=450560
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\bin\hpOSCL07.dll
[Hewlett-Packard Co.] [hp officejet g series]
MD5=B09603EC5FA7990F1DBB454969F4D51C SIZE=307266
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\bin\hpoip07.dll
[Hewlett-Packard Co.] [hp officejet g series]
MD5=AB9C28DB49ECA5F6F15E75B170659ECA SIZE=258048
%SYSDIR%\hpOIDR07.dll [HP] [HP Dot4Rtl]
MD5=7E08D77F08569C3ECB0F1862A42B0BC8 SIZE=73728
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpopxs07.dll
MD5=A312ACF4C86959F0541713F0305FDACC SIZE=28672
%SYSDIR%\hpOIPR07.dll [HP] [HP PmlRtl]
MD5=58AC7CB94E5B316A3EF6D4C7FA7D000C SIZE=53248
%PROGRAMFILES%\Yahoo!\Messenger\ymsgr_tray.exe [Yahoo! Inc.] [Yahoo!
Messenger] MD5=DADAC0AE0B9648F18A8E0D5679D878E1 SIZE=103928
%PROGRAMFILES%\Yahoo!\Messenger\res_msgr.dll [Yahoo! Inc.] [Yahoo!
Messenger] MD5=9778C39BE7610327BA309BD7F5A475E4 SIZE=1437696
%PROGRAMFILES%\Alwil Software\Avast4\English\langmai.dll [ALWIL
Software] [avast! Antivirus] MD5=D1BEDB9868691C8621D38796BA26B796
SIZE=57344
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpoevm07.exe
[Hewlett-Packard Co.] [hp officejet g series]
MD5=786A9556B35CA88E867213E135BB5DEF SIZE=299008
%PROGRAMFILES%\Alwil Software\Avast4\ashWsFtr.dll [ALWIL Software]
[avast! Antivirus] MD5=7FE7B6D4E2AB7C16EFF213384C20A147 SIZE=61440
%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
[Hewlett-Packard Co.] [hp officejet g series]
MD5=C596C2F76134513F5429215F06EC72D7 SIZE=294912
%SYSDIR%\hpotap07.dll [Hewlett-Packard Co.] [hp officejet g series]
MD5=8B1473833E5CBEB31C3FC5EE30F2713D SIZE=40960
%SYSDIR%\ZONELABS\vsmon.exe [Zone Labs, LLC] [TrueVector Service]
MD5=3003168A5E42D80F0ADD5C319BC78A7C SIZE=75304
%SYSDIR%\nytaapuw.dll
%PROGRAMFILES%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
%SYSDIR%\cbXNETKb.dll
deskpan.dll
%COMMONFILES%\Kodak\IFScore\shellext.dll [Eastman Kodak Company]
[SHELLEXT Dynamic Link Library] MD5=6DE871C589D01548B19B2CA442011EBA
SIZE=360501
%PROGRAMFILES%\Yahoo!\Common\ymmapi.dll [Yahoo! Inc.] [YMMAPI Module]
MD5=A0C86DB296BBE76145377D56C5975175 SIZE=190496
%PROGRAMFILES%\Windows Live\Messenger\fsshext.8.5.1302.1018.dll
[Microsoft Corporation] [Messenger] MD5=8BDE1F61DFBAAE7A2916170E8B75FE0F
SIZE=329240
%PROGRAMFILES%\Windows Live\Mail\mailcomm.dll [Microsoft Corporation]
[Messenger] MD5=6A69BEDDD514F21B8A216B85EAF330B5 SIZE=858136
%PROGRAMFILES%\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe
[Microsoft Corporation] [Windows Live Photo Gallery]
MD5=86C67242AC4ADA2C20D0748157E3ED8C SIZE=227456
%PROGRAMFILES%\Windows Live\Photo Gallery\PhotoViewerShim.dll [Microsoft
Corporation] [Windows Live Photo Gallery]
MD5=024F4D95154039B2292F4B856A52AB7D SIZE=46112
%SYSDIR%\rundll32.exe "C:\Program Files\Windows Live\Photo
Gallery\WLXPhotoViewer.dll",PhotoViewerComServer
{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C}
%SYSDIR%\rundll32.exe "C:\Program Files\Windows Live\Photo
Gallery\WLXPhotoViewer.dll",PhotoViewerComServer
{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C}
%SYSDIR%\rundll32.exe "C:\Program Files\Windows Live\Photo
Gallery\WLXPhotoViewer.dll",PhotoViewerComServer
{00F374B7-B390-4884-B372-2FC349F2172B}
%PROGRAMFILES%\Zone Labs\ZoneAlarm\zlavscan.dll [Zone Labs, LLC]
[zlavscan shell extension] MD5=386E2CFD312BE97B1AEC91C92CC95A1E
SIZE=50664
%PROGRAMFILES%\Alwil Software\Avast4\ashShell.dll [ALWIL Software]
[avast! Antivirus] MD5=ABD1D845FC1EA9BDACBFBB284AD3E974 SIZE=75128
%PROGRAMFILES%\WinRar\rarext.dll MD5=CBAA3D8FBD81C22834BE55FB7461CEC6
SIZE=121344
%PROGRAMFILES%\Microsoft Office\Office10\OLKFSTUB.DLL [Microsoft
Corporation] [Microsoft Outlook] MD5=3756445FEBC6CBC90AFC22E5E38F7294
SIZE=54688
%SYSDIR%\DRIVERS\aswFsBlk.sys [ALWIL Software] [avast! Antivirus System]
MD5=922C09ED986C31D6D4445DC937465103 SIZE=20560
%SYSDIR%\svchost.exe -k netsvcs
%SYSDIR%\drivers\CdaD10BA.SYS [Macrovision Europe Ltd] [Security Windows
NT] MD5=841CEFAB8228EE691705D059E7F21C47 SIZE=12464
%SYSDIR%\DRIVERS\DcCam.sys [Eastman Kodak Company] [Kodak Digital Camera
Driver] MD5=844A9B14E2799A2ADEC1F392E7407D72 SIZE=34938
%SYSDIR%\drivers\dcfs2k.sys [Eastman Kodak Company] [Kodak DC File
System Driver (NT)] MD5=7CEF1CD1DC5C24208F196C36EB48A411 SIZE=36885
%SYSDIR%\svchost -k DcomLaunch
%SYSDIR%\Drivers\DgiVecp.sys [DeviceGuys, Inc.] [DeviceGuys, Inc. Team
MFP for Windows NT, 9x, and 3.1] MD5=D514B430E2989F846137828C90370C16
SIZE=41984
%SYSDIR%\svchost.exe -k NetworkService
%SYSDIR%\svchost.exe -k HTTPFilter
%SYSDIR%\DRIVERS\klif.sys [Kaspersky Lab] [Kaspersky Anti-Virus]
MD5=2CF7C3DD0102A32A680EF97F3B1C861A SIZE=127768
%SYSDIR%\DRIVERS\L8042pr2.Sys [Logitech, Inc.] [Logitech MouseWare(TM)]
MD5=42DEC1FBCFA291720460705A8881A1C4 SIZE=51582
%SYSDIR%\svchost.exe -k LocalService
%SYSDIR%\DRIVERS\LMouFlt2.Sys [Logitech, Inc.] [Logitech MouseWare(TM)]
MD5=26407519FCA64EC4091FE1F815B4AFC4 SIZE=70894
%SYSDIR%\DRIVERS\ltmdmnt.sys [Agere Systems] [Agere V.92 Data+Fax Modem
Version 8.31] MD5=3070246FBA35AA2E0C2251D55F5848F8 SIZE=652689
%PROGRAMFILES%\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7
%SYSDIR%\svchost -k rpcss
%SYSDIR%\ZoneLabs\srescan.sys [Zone Labs, LLC] [srescanner]
MD5=BDA0ECC7CBA1D3B9FD7FF2881BF9B463 SIZE=51176
%SYSDIR%\svchost.exe -k imgsvc
%SYSDIR%\drivers\ac97via.sys [VIA Technologies, Inc.] [VIA Audio WDM
Driver] MD5=819BF44085104BE6527B86A88ACF856B SIZE=84480
%SYSDIR%\vsdatant.sys [Zone Labs, LLC] [TrueVector Device Driver]
MD5=490EC3935775D740DB74C79EBBD1CBD9 SIZE=394952
%SYSDIR%\ZONELABS\vsmon.exe -service
%PROGRAMFILES%\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
[Microsoft Corporation] [Messenger] MD5=56319E6B4D190A2DEB4463A9CE4D4F74
SIZE=66072

End of Report


Remove Process:

Preparing structures
Creating System Restore Point
Remove Invalid Startup Items
Deleted Registry : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BM470d0d1a
Closing System Restore Point
Done
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm
Advertisement
Register to Remove

Re: Posted for godivarides

Unread postby Piney » June 26th, 2008, 7:56 pm

Thank you for your help!

I ran HJT, fixed the 06 line suggested, the last log follows, reset IE to
default again, still no access, lots of popups ...

I was able to log onto the test forum, open the first thread, "Malware
Removal" then the system hung when I tried to open "Popups & Inability to
visit certain sites" by Sicksix ... it's now over 8 minutes and the
progress bar shows barely 1/3 ... sounds similar to my issue here ....
update now over 15 minutes, logged out, no change.

Popup also registered this IP 89.188.16.28 .... tried to google it, but
system hangs ... google loads normally and quick.

From your earlier email:

I loaded original XP software.

Thanks for the suggestion, I will save the important files to my flashdrive.

This is currently my only system, if there is a problem with this
connection, I can always check email etc at friends.

I can log into IM - xxxxxxxxxx@xxxxx .com but cannot access that
email, re: Cookies message.

Thanks again!

Sandra




********************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:02:42 PM, on 26/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.telus.net/set_region.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.telus.net/set_region.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {0F3FACB7-2681-4131-9E38-8169242B6B2D} -
C:\WINDOWS\system32\cbXNETKb.dll (file missing)
O2 - BHO: (no name) - {56115928-FDE3-419A-9E0A-0371CCCE012A} - (no file)
O2 - BHO: (no name) - {7D3C7FA8-2270-4E6E-8758-87F33B8B3721} -
C:\WINDOWS\system32\xxyxWMFv.dll
O2 - BHO: (no name) - {8EE19CA6-B6AF-4765-AFEA-639CBBEF2768} - (no file)
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A6DAE0AC-48B2-4899-853D-99A739B746C0} -
C:\WINDOWS\system32\wvUljIxw.dll
O2 - BHO: {d3c394f3-7799-d8eb-f454-d1f74fb0909b} -
{b9090bf4-7f1d-454f-be8d-99773f493c3d} - C:\WINDOWS\system32\rbolsdby.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile -
{D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware
Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [443e3e86] rundll32.exe
"C:\WINDOWS\system32\nnnojgvr.dll",b
O4 - HKLM\..\Run: [BM470d0d1a] Rundll32.exe
"C:\WINDOWS\system32\mtqvhjys.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program
Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program
Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} -
C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer -
{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows
Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Attach Web page to ACT! contact -
{6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... -
{6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program
Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program
Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX
Control) -
http://dev.imagingworld.co.kr/printerhelp/introduction/DrPrinter.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) -
http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{0F7A11C3-E76A-4E31-8BC2-D85744CF4B8F}:
NameServer = 75.154.132.68,75.154.132.100
O17 -
HKLM\System\CS2\Services\Tcpip\..\{0F7A11C3-E76A-4E31-8BC2-D85744CF4B8F}:
NameServer = 75.154.132.68,75.154.132.100
O17 -
HKLM\System\CS3\Services\Tcpip\..\{0F7A11C3-E76A-4E31-8BC2-D85744CF4B8F}:
NameServer = 75.154.132.68,75.154.132.100
O20 - AppInit_DLLs: dshasrgq.dll
O20 - Winlogon Notify: xxyxWMFv - C:\WINDOWS\SYSTEM32\xxyxWMFv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft -
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe
O23 - Service: Dcfssvc - Eastman Kodak Company -
C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) -
Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 9483 bytes


The IP address she mentions as coming from a popup (89.188.16.28) is is from the Netherlands:
inetnum: 89.188.16.0 - 89.188.16.255
netname: NL-CUST-DUOCAST-XS-24
descr: XS-24 Subnet
org: ORG-XIl3-RIPE
country: NL
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Re: Posted for godivarides

Unread postby dan12 » June 27th, 2008, 12:42 am

Hi, Pinney, good to hear from you again! I'll be happy to help you out.
Pinney, when you produce a HJT log can you un check "word wrap" >> open notepad-click format-uncheck word wrap.

Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
____________


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

_____________


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby Piney » June 27th, 2008, 2:20 am

I will copy this all over to the victim via EMAIL, and hopefully she will be able to proceed uneventfully :)
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Re: Posted for godivarides

Unread postby Piney » June 27th, 2008, 1:24 pm

Dan, so sorry for the word wrap, I posted directly from the EMAIL she sent to me.

Here is her latest reply:
Please thank Dan for his knowledge, great instructions and guidance!

Can't access or load Windows Updater - blank page, or any site that may

Here's the HJT log and also the Spyware Terminator - states Trojan.monder.zm with dll files

I was able to download and run the ATF download, completed its action.

I can't access the bleepingcomputer, tried removing the extension, tried opening a new window and adding the address - no luck, tried going to cnet.com - easily loads, tried using their search engine, bleepingcomputer comes up, system hangs.

http://www.bleepingcomputer.com

Is there any way to send me this tool file, so I can open it from the email?

Very strange, some internet connections hang and others load like there's no problem! Almost seems like a criteria list - if address contains words such as "microsoft, computer, virus ... hang system; innocuous sites load easily and quickly, like a horoscope website.

I rebooted to see if that makes a difference and it doesn't.

Sandra


I copied the page from BC sent that, and then downloaded the ComboFix tool and also sent that to her (Big file!!!)

I have several logs to post and hopefully the formatting is ok
=========================================================

HJT log

Ad-Aware
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
avast! Antivirus
CD Viewer
Forms on CD
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP Driver Diagnostics
hp instant support
hp officejet g series
HP OfficeJet G Series
Kodak EasyShare software
Logitech MouseWare 9.80
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Publisher 2002
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Paltalk Messenger
Plaxo
QuarkXPress 5.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Spyware Terminator
TELUS eCare
TELUS eCare Plugin
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Winamp
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Writer
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
XoftSpySE
Yahoo! Messenger
ZoneAlarm

-=
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Re: Posted for godivarides

Unread postby Piney » June 27th, 2008, 1:26 pm

Logfile of Spyware Terminator v2.2.1.433 (db:2.006.026.000)Scan Time: 27/06/2008 2:00:59 AM length: 2341 s

End of Report


Remove Process:


Preparing structures

Creating System Restore Point

Remove Trojan.Monder.zm

File Deletion Failed (Failed) : C:\WINDOWS\system32\dshasrgq.dll

File moved and set for deletion after restart:C:\WINDOWS\system32\dshasrgq.dll

Deleted Registry : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs

Remove Affiliate tracking cookie

Deleted File: C:\Documents and Settings\Sandra Miller\cookies\sandra_miller@ehg.hitbox[1].txt

Deleted File: C:\Documents and Settings\Sandra Miller\cookies\sandra_miller@hitbox[2].txt

Closing System Restore Point

Done

***********************************************************************************************************************

Platform: WXP (5.1.0.2600)

User: Admin

Boot Mode: Normal

Scan type: Full_Spyware_Scan

Scanned Objects: 176402 (Critical:2)

Filter: No System items, No Safe items, No Invalid items

Running Processes

aawservice.exe [Lavasoft] : C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

aswUpdSv.exe [ALWIL Software] : C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

ashServ.exe [ALWIL Software] : C:\Program Files\Alwil Software\Avast4\ashServ.exe

dcfssvc.exe [Eastman Kodak Company] : C:\WINDOWS\system32\drivers\dcfssvc.exe

MotiveSB.exe [TELUS] : C:\Program Files\TELUS eCare\SmartBridge\MotiveSB.exe

sqlservr.exe [Microsoft Corporation] : C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe

em_exec.exe [Logitech Inc.] : C:\Program Files\Logitech\MouseWare\system\em_exec.exe

InstallStub.exe [Plaxo] : C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe

hpoavn07.exe [Hewlett-Packard Co.] : C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe

ymsgr_tray.exe [Yahoo! Inc.] : C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

hpoevm07.exe [Hewlett-Packard Co.] : C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpoevm07.exe

hpOSTS07.exe [Hewlett-Packard Co.] : C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

vsmon.exe [Zone Labs, LLC] : C:\WINDOWS\system32\ZONELABS\vsmon.exe

WLLoginProxy.exe [Microsoft Corporation] : C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

msnmsgr.exe [Microsoft Corporation] : C:\Program Files\Windows Live\Messenger\msnmsgr.exe

usnsvc.exe [Microsoft Corporation] : C:\Program Files\Windows Live\Messenger\usnsvc.exe

Internet Settings

R - HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar = http://home.microsoft.com/search/lobby/search.asp

R - HKLM\Software\Microsoft\Internet Explorer\Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R - HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

R - HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

R - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, ProxyOverride = 127.0.0.1;localhost

R - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, Domain =

R - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony, DomainName =

BHO

02 - BHO: - {7D3C7FA8-2270-4E6E-8758-87F33B8B3721} - : C:\WINDOWS\system32\xxyxWMFv.dll

02 - BHO: - {B72DAA22-873E-4D7B-88B1-E6AD346B626D} - : C:\WINDOWS\system32\wvUljIxw.dll

02 - BHO: - {b9090bf4-7f1d-454f-be8d-99773f493c3d} - : C:\WINDOWS\system32\rbolsdby.dll

02 - BHO: Messenger Class - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - [Yahoo! Inc.] : C:\Program Files\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE

StartUps

04 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PlaxoUpdate : [Plaxo] : C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe

04 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Yahoo! Pager : [Yahoo! Inc.] : C:\Program Files\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE

04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Motive SmartBridge : [TELUS] : C:\Program Files\TELUS eCare\SmartBridge\MotiveSB.exe

04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, APL : [Best Software] : C:\Program Files\ACT\ACT FOR WIN 7\APL.EXE

04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, 443e3e86 : : C:\WINDOWS\system32\nnnojgvr.dll

04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, BM470d0d1a : : C:\WINDOWS\system32\mtqvhjys.dll

04 - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs : : C:\WINDOWS\system32\dshasrgq.dll

04 - HKLM\System\CurrentControlSet\Control\Session Manager, BootExecute : : C:\WINDOWS\system32\lsdelete.exe

04 - Startup: %STARTUPALL%\HPAiODevice(hp officejet g series) - 1.lnk [Hewlett-Packard Co.] : C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe

Shell Extensions

KodakShellExtension - {acb4a560-3606-11d3-aef4-00104bd0f92d} - [Eastman Kodak Company] : C:\Program Files\Common Files\Kodak\IFScore\shellext.dll

YMailShellExt Class - {5464D816-CF16-4784-B9F3-75C0DB52B499} - [Yahoo! Inc.] : C:\Program Files\Yahoo!\Common\ymmapi.dll

My Sharing Folders - {FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} - [Microsoft Corporation] : C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll

CLSID_WLMCMimeFilter - {0563DB41-F538-4B37-A92D-4659049B7766} - [Microsoft Corporation] : C:\Program Files\Windows Live\Mail\mailcomm.dll

- {06A2568A-CED6-4187-BB20-400B8C02BE5A} - [Microsoft Corporation] : C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe

Windows Live Photo Gallery Import Autoplay Shim - {00F33137-EE26-412F-8D71-F84E4C2C6625} - [Microsoft Corporation] : C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll

Windows Live Photo Gallery Viewer Shim - {00F346CB-35A4-465B-8B8F-65A29DBAB1F6} - [Microsoft Corporation] : C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll

Windows Live Photo Gallery Editor Shim - {00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} - [Microsoft Corporation] : C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll

Windows Live Photo Gallery Viewer Autoplay Shim - {00F30F90-3E96-453B-AFCD-D71989ECC2C7} - [Microsoft Corporation] : C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll

ZLAVShExt Class - {D9872D13-7651-4471-9EEE-F0A00218BEBB} - [Zone Labs, LLC] : C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll

avast - {472083B0-C522-11CF-8763-00608CC02F24} - [ALWIL Software] : C:\Program Files\Alwil Software\Avast4\ashShell.dll

WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} - : C:\Program Files\WinRar\rarext.dll

Outlook File Icon Extension - {0006F045-0000-0000-C000-000000000046} - [Microsoft Corporation] : C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL

Shell Extecute Hooks

- {{7D3C7FA8-2270-4E6E-8758-87F33B8B3721}} - : C:\WINDOWS\system32\xxyxWMFv.dll

Protocol Handler

- {828030A1-22C1-4009-854F-8E305202313F} - [Microsoft Corporation] : C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

- {828030A1-22C1-4009-854F-8E305202313F} - [Microsoft Corporation] : C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

Windows Live Mail HTML Asynchronous Pluggable Protocol Handler - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - [Microsoft Corporation] : C:\Program Files\Windows Live\Mail\mailcomm.dll

Services

23 - [Lavasoft] : C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

23 - [ALWIL Software] : C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys

23 - [ALWIL Software] : C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

23 - [ALWIL Software] : C:\Program Files\Alwil Software\Avast4\ashServ.exe

23 - [Macrovision Europe Ltd] : C:\WINDOWS\system32\drivers\CdaD10BA.SYS

23 - [Eastman Kodak Company] : C:\WINDOWS\system32\DRIVERS\DcCam.sys

23 - [Eastman Kodak Company] : C:\WINDOWS\system32\drivers\dcfs2k.sys

23 - [Eastman Kodak Company] : C:\WINDOWS\system32\drivers\dcfssvc.exe

23 - [DeviceGuys, Inc.] : C:\WINDOWS\system32\Drivers\DgiVecp.sys

23 - [Kaspersky Lab] : C:\WINDOWS\system32\DRIVERS\klif.sys

23 - [Logitech, Inc.] : C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys

23 - [Logitech, Inc.] : C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys

23 - [Agere Systems] : C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys

23 - [Zone Labs, LLC] : C:\WINDOWS\system32\ZoneLabs\srescan.sys

23 - [Microsoft Corporation] : C:\Program Files\Windows Live\Messenger\usnsvc.exe

23 - [VIA Technologies, Inc.] : C:\WINDOWS\system32\drivers\ac97via.sys

23 - [Zone Labs, LLC] : C:\WINDOWS\system32\vsdatant.sys

Winlogon Notify

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyxWMFv, DLLName : : C:\WINDOWS\system32\xxyxWMFv.dll

Threat Files

<Trojan.Monder.zm> : C:\WINDOWS\system32\dshasrgq.dll

Advanced Files Report

%PROGRAMFILES%\Lavasoft\Ad-Aware\aawservice.exe [Lavasoft] [Ad-Aware Service] MD5=17067069B9A7865028C1F2E6971D0CCC SIZE=611664

%PROGRAMFILES%\Lavasoft\Ad-Aware\CEAPI.dll [Lavasoft] [CEAPI Dynamic Link Library] MD5=4E0BC5EA2FAF42E7702F80BC69EF7EAB SIZE=804200

%PROGRAMFILES%\Lavasoft\Ad-Aware\PKArchive85u.dll [PKWARE, Inc.] [PKWARE Archive API] MD5=46374252AFA0A37F4F7AF528F6F16B96 SIZE=907096

%PROGRAMFILES%\Alwil Software\Avast4\aswUpdSv.exe [ALWIL Software] [avast! Antivirus] MD5=67AF5593EF8359B56DAD6F289D22494B SIZE=17272

%PROGRAMFILES%\Alwil Software\Avast4\aswCmnS.dll [ALWIL Software] [avast! Antivirus] MD5=C20B26B1C1F9C7FF330DE50C71EA742E SIZE=192512

%PROGRAMFILES%\Alwil Software\Avast4\aswCmnOS.dll [ALWIL Software] [avast! Antivirus] MD5=2A69D0A072A6305EBCB8FEDC31714A31 SIZE=86016

%PROGRAMFILES%\Alwil Software\Avast4\aswCmnB.dll [ALWIL Software] [avast! Antivirus] MD5=3AA810D3408D860B9104752DF989680D SIZE=126976

%PROGRAMFILES%\Alwil Software\Avast4\ashServ.exe [ALWIL Software] [avast! Antivirus] MD5=373BF09D372A82EA637CA9A6BC8CC8E9 SIZE=144760

%PROGRAMFILES%\Alwil Software\Avast4\aswAux.dll [ALWIL Software] [avast! Antivirus] MD5=8E7D4DBF7B9EDEE8F77D3E7EC4C25C5F SIZE=659456

%PROGRAMFILES%\Alwil Software\Avast4\aswEngin.dll [ALWIL Software] [avast! Antivirus] MD5=908BB9E14DB751AD895DC799AF2A5B19 SIZE=1228800

%PROGRAMFILES%\Alwil Software\Avast4\aswScan.dll [ALWIL Software] [avast! Antivirus] MD5=1169CB343AD88073C910742BD1F7AB64 SIZE=81920

%PROGRAMFILES%\Alwil Software\Avast4\ashBase.dll [ALWIL Software] [avast! Antivirus] MD5=6158A105DA36E4500EF002C0EEF6FC91 SIZE=225280

%PROGRAMFILES%\Alwil Software\Avast4\ashTask.dll [ALWIL Software] [avast! Antivirus] MD5=FDF0F972ADAB3033E711323CF5CAA532 SIZE=114688

%PROGRAMFILES%\Alwil Software\Avast4\aswInteg.dll [ALWIL Software] [avast! Antivirus] MD5=252EA98886C919A69AC7976A06CCE9C1 SIZE=22528

%PROGRAMFILES%\Alwil Software\Avast4\aswIdle.dll [ALWIL Software] [avast! Antivirus] MD5=60497A074507B849E8ACCD63B3D74078 SIZE=10104

%PROGRAMFILES%\Alwil Software\Avast4\Aavm4h.dll [ALWIL Software] [avast! Antivirus] MD5=EDECD8F14672A0CE1F482ABBB7062436 SIZE=221184

%PROGRAMFILES%\Alwil Software\Avast4\English\Base.dll [ALWIL Software] [avast! Antivirus] MD5=D516859892DBB852176DF4789DE3BE4D SIZE=61440

%PROGRAMFILES%\Alwil Software\Avast4\AhResMai.dll [ALWIL Software] [avast! Antivirus] MD5=F6DAA8972A1FE33788FA804858DAA780 SIZE=35840

%PROGRAMFILES%\Alwil Software\Avast4\ahResMes.dll [ALWIL Software] [avast! Antivirus] MD5=A0984F76E322C2479704A9210BC36C2E SIZE=32768

%PROGRAMFILES%\Alwil Software\Avast4\AhResNS.dll [ALWIL Software] [avast! Antivirus] MD5=505AEDC172FDFE815E3C5F5BFD27BDA7 SIZE=31744

%PROGRAMFILES%\Alwil Software\Avast4\AhResOut.dll [ALWIL Software] [avast! Antivirus] MD5=4FD8EA106BA68A2FDC45B63612CF30FB SIZE=29696

%PROGRAMFILES%\Alwil Software\Avast4\ahResP2P.dll [ALWIL Software] [avast! Antivirus] MD5=E921D6B3735606410FFD16CDA9E9F1AB SIZE=33280

%PROGRAMFILES%\Alwil Software\Avast4\AhResStd.dll [ALWIL Software] [avast! Antivirus] MD5=2A150EA90C5BF491D7BA6E1B0298D53A SIZE=43008

%PROGRAMFILES%\Alwil Software\Avast4\AhResWS.dll [ALWIL Software] [avast! Antivirus] MD5=19F4BF7E5A180CF305B6CF719FA24D61 SIZE=53248

%PROGRAMFILES%\Alwil Software\Avast4\ashSSqlt.dll [ALWIL Software] [avast! Antivirus] MD5=FF54497E52DA613CD6EA6907239E9FA6 SIZE=233472

%COMMONFILES%\Logitech\Scrolling\LgMsgHk.dll [Logitech Inc.] [Productivity Software Common Files] MD5=F7FEB9FC47D2E000A4EEBDC4F0502A7B SIZE=24064

%PROGRAMFILES%\Logitech\MouseWare\System\LgWndHk.dll [Logitech Inc.] [MouseWare] MD5=649955CFFEB01DA4F9E58BF09DBBFCA6 SIZE=6144

%PROGRAMFILES%\TELUS eCare\SmartBridge\SBHook.dll [Motive, Inc.] [TELUS eCare] MD5=5184703A046287971A152BDA5E31CA43 SIZE=122880

%SYSDIR%\SUGW2LMK.DLL [Samsung Electronics.] [Language Monitor for Status Monitor] MD5=2D0F4B5C0B3A74E531AB78008AAECEA3 SIZE=20622

%SYSDIR%\drivers\dcfssvc.exe [Eastman Kodak Company] [Kodak DC File System Driver (Win32)] MD5=DD9CC789CC96358AE2033C0874EF7B36 SIZE=188987

%PROGRAMFILES%\TELUS eCare\SmartBridge\httpclient52.dll [Motive Communications, Inc.] [Motive System] MD5=CAF0AC94386BD20475C681A6C373764F SIZE=159744

%PROGRAMFILES%\TELUS eCare\SmartBridge\clientutil52.dll [Motive Communications, Inc.] [Motive System] MD5=D41BC0E2029A1D4C6D4CEB45040B5838 SIZE=282624

%PROGRAMFILES%\TELUS eCare\SmartBridge\SBRes.dll [TELUS] [TELUS eCare SmartBridge Resources] MD5=52A2AE15F84DA445E0875BFA7E7127E4 SIZE=69632

%PROGRAMFILES%\TELUS eCare\SmartBridge\alertfilter.dll [Motive Communications, Inc.] [Motive System] MD5=50B4125D015686D0E2C74920787AF897 SIZE=225280

%PROGRAMFILES%\TELUS eCare\SmartBridge\libcurl.dll MD5=D881589211360A2B06C1E11BA8E74A76 SIZE=327746

%PROGRAMFILES%\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe [Microsoft Corporation] [Microsoft SQL Server] MD5=1251256FEFC2B00A7BD603578241F0AD SIZE=7544916

%PROGRAMFILES%\Alwil Software\Avast4\English\Lang.dll [ALWIL Software] [avast! Antivirus] MD5=DC8E8B57F8D5403E630B657952BD7E8F SIZE=2527232

%PROGRAMFILES%\Alwil Software\Avast4\AavmRpch.dll [ALWIL Software] [avast! Antivirus] MD5=AD1251EA8E6A1609BA7D43079E1456E4 SIZE=20480

%PROGRAMFILES%\alwil software\avast4\ahruimai.dll [ALWIL Software] [avast! Antivirus] MD5=8A07846EB1591AA0112D1D2AB3A711E2 SIZE=65536

%PROGRAMFILES%\Alwil Software\Avast4\ashUInt.dll [ALWIL Software] [avast! Antivirus] MD5=3F205B1F9F7D26DFA88DD848937EA152 SIZE=315392

%PROGRAMFILES%\Alwil Software\Avast4\XT1922.dll [Codejock Software] [XTToolkit Dynamic Link Library] MD5=92ACEE03566D4B37788084D4C497E2D8 SIZE=917504

%PROGRAMFILES%\alwil software\avast4\ahruimes.dll [ALWIL Software] [avast! Antivirus] MD5=5F29F319033A36E3AE63544EC6C1AE63 SIZE=36864

%PROGRAMFILES%\alwil software\avast4\ahruins.dll [ALWIL Software] [avast! Antivirus] MD5=240C25A4B13639DC6814ACF2424E2030 SIZE=36864

%PROGRAMFILES%\alwil software\avast4\ahruiout.dll [ALWIL Software] [avast! Antivirus] MD5=591592FBF8FF82F3CED3BABA4160D325 SIZE=90112

%PROGRAMFILES%\alwil software\avast4\ahruip2p.dll [ALWIL Software] [avast! Antivirus] MD5=77B906C716C3F5FCEE9FE225A56C7BEE SIZE=22528

%PROGRAMFILES%\alwil software\avast4\ahruistd.dll [ALWIL Software] [avast! Antivirus] MD5=722323EDD1D3FA05067DCA8A1B5C0625 SIZE=57344

%PROGRAMFILES%\alwil software\avast4\ahruiws.dll [ALWIL Software] [avast! Antivirus] MD5=0EA99DF481E69CF1F2669FCFB7A76C01 SIZE=49152

%PROGRAMFILES%\Logitech\MouseWare\system\em_exec.exe [Logitech Inc.] [MouseWare] MD5=7AA42B6EE677EE292C1E74055D409750 SIZE=38912

%PROGRAMFILES%\Logitech\MouseWare\system\EVENTEX.dll [Logitech Inc.] [MouseWare] MD5=C8D6ACE87E20BA1005AF9B439D310147 SIZE=237568

%SYSDIR%\COMNCTR.dll [Logitech Inc.] [MouseWare] MD5=DE131CF624772AD61EBD3EA2D971CFED SIZE=104960

%PROGRAMFILES%\Logitech\MouseWare\system\ccresrce.dll [Logitech Inc.] [MouseWare] MD5=F6433B3B32F2EF5263ADBABE152E8633 SIZE=78848

%PROGRAMFILES%\Logitech\MouseWare\system\GlbResLt.dll [Logitech Inc.] [MouseWare] MD5=3A47808D1F89F8C8EA30E204FD8D0BEE SIZE=13312

%PROGRAMFILES%\Logitech\MouseWare\System\devices.dll [Logitech Inc.] [MouseWare] MD5=1142BC054D0DC4183F90D24A7909EF72 SIZE=136192

%PROGRAMFILES%\Logitech\MouseWare\system\ccstmglb.dll [Logitech Inc.] [MouseWare] MD5=736221B3EBC2E32DA3EE34BBC56A69C3 SIZE=21504

%PROGRAMFILES%\Logitech\MouseWare\system\ccustom.dll [Logitech Inc.] [MouseWare] MD5=AFDD32943DAAE0B6F633FB31C142B170 SIZE=16384

%PROGRAMFILES%\Logitech\MouseWare\system\ccmsghk.dll [Logitech Inc.] [MouseWare] MD5=37D28FC5E8BB9C0C00CC91CF9447C96F SIZE=42496

%PROGRAMFILES%\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [Hewlett-Packard Co.] [hp officejet g series] MD5=0C284F768815000381E76898624C2E68 SIZE=151552

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpodvm07.dll [Hewlett-Packard Co.] [hp officejet g series] MD5=A82D00DF93686BED9A9310870E03E4E1 SIZE=225280

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpores07.dll [Hewlett-Packard Co.] [hp officejet g series] MD5=693145219C974762DACDD6D6A8CF387B SIZE=8253440

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpocob07.dll [Hewlett-Packard Co.] [hp officejet g series] MD5=49D87435C0ABDD1AAC14D176959E7823 SIZE=73728

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpodvi07.dll [Hewlett-Packard Co.] [hp officejet g series] MD5=E215090C1C6CCEC8DBC1250AE6AE0969 SIZE=331776

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpodvb07.dll [Hewlett-Packard] [DevBase Module] MD5=B923B96C35776C9FFFBD157E77D66E46 SIZE=204800

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hposcn07.dll [Hewlett-Packard Co.] [hp officejet g series] MD5=FE859B63F0C5E93BFE456D27CA20FF79 SIZE=122880

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\ltkrn12n.dll [LEAD Technologies, Inc.] [LEADTOOLS(r) DLL for Win32] MD5=782B8AE034A8CF8F51FA89E986EBBFC0 SIZE=406016

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\ltfil12n.DLL [LEAD Technologies, Inc.] [LEADTOOLS(r) DLL for Win32] MD5=3FA4DCF0B390468C1BD58488C6B47BE3 SIZE=121344

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpodio07.dll [Hewlett-Packard Co.] [hp officejet g series] MD5=87DE98634397611925D0A709A71216C1 SIZE=450560

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\bin\hpOSCL07.dll [Hewlett-Packard Co.] [hp officejet g series] MD5=B09603EC5FA7990F1DBB454969F4D51C SIZE=307266

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\bin\hpoip07.dll [Hewlett-Packard Co.] [hp officejet g series] MD5=AB9C28DB49ECA5F6F15E75B170659ECA SIZE=258048

%SYSDIR%\hpOIDR07.dll [HP] [HP Dot4Rtl] MD5=7E08D77F08569C3ECB0F1862A42B0BC8 SIZE=73728

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpopxs07.dll MD5=A312ACF4C86959F0541713F0305FDACC SIZE=28672

%SYSDIR%\hpOIPR07.dll [HP] [HP PmlRtl] MD5=58AC7CB94E5B316A3EF6D4C7FA7D000C SIZE=53248

%PROGRAMFILES%\Yahoo!\Messenger\ymsgr_tray.exe [Yahoo! Inc.] [Yahoo! Messenger] MD5=DADAC0AE0B9648F18A8E0D5679D878E1 SIZE=103928

%PROGRAMFILES%\Yahoo!\Messenger\res_msgr.dll [Yahoo! Inc.] [Yahoo! Messenger] MD5=9778C39BE7610327BA309BD7F5A475E4 SIZE=1437696

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\Bin\hpoevm07.exe [Hewlett-Packard Co.] [hp officejet g series] MD5=786A9556B35CA88E867213E135BB5DEF SIZE=299008

%PROGRAMFILES%\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe [Hewlett-Packard Co.] [hp officejet g series] MD5=C596C2F76134513F5429215F06EC72D7 SIZE=294912

%SYSDIR%\hpotap07.dll [Hewlett-Packard Co.] [hp officejet g series] MD5=8B1473833E5CBEB31C3FC5EE30F2713D SIZE=40960

%SYSDIR%\ZONELABS\vsmon.exe [Zone Labs, LLC] [TrueVector Service] MD5=3003168A5E42D80F0ADD5C319BC78A7C SIZE=75304

%WINDIR%\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_c1e28ec8\mscorlib.dll MD5=803946C58C3EC1361DDEAFBA8680B627 SIZE=3391488

%PROGRAMFILES%\act\act for win 7\plugins\act.ui.internetexplorer.plugins.attachfile.dll [Best Software] [ACT!] MD5=66872919225ADB098C2498C5439AF13F SIZE=24576

%PROGRAMFILES%\act\act for win 7\plugins\interop.shdocvw.dll [Assembly imported from type library SHDocVw] MD5=D114346B7AC960040C29B0F78A7E4B05 SIZE=126976

%SYSDIR%\Macromed\Flash\Flash9f.ocx [Adobe Systems, Inc.] [Shockwave Flash] MD5=48FDF435B8595604E54125B321924510 SIZE=2991488

%COMMONFILES%\Microsoft Shared\Windows Live\WLLoginProxy.exe [Microsoft Corporation] [Microsoft® Windows Live Login Helper] MD5=7FA0AA2F3DABA5BEB2C4AC1EEC054EFA SIZE=118336

%PROGRAMFILES%\Windows Live\Messenger\msnmsgr.exe [Microsoft Corporation] [Messenger] MD5=A8972A2F9A744DD5EE0BFE429D767F1C SIZE=5724184

%PROGRAMFILES%\Windows Live\Messenger\usnsvc.exe [Microsoft Corporation] [Messenger] MD5=9D19B042A4FD5C02195071EA2FE0C821 SIZE=98328

%PROGRAMFILES%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

%SYSDIR%\cbXNETKb.dll

deskpan.dll

%COMMONFILES%\Kodak\IFScore\shellext.dll [Eastman Kodak Company] [SHELLEXT Dynamic Link Library] MD5=6DE871C589D01548B19B2CA442011EBA SIZE=360501

%PROGRAMFILES%\Yahoo!\Common\ymmapi.dll [Yahoo! Inc.] [YMMAPI Module] MD5=A0C86DB296BBE76145377D56C5975175 SIZE=190496

%PROGRAMFILES%\Windows Live\Messenger\fsshext.8.5.1302.1018.dll [Microsoft Corporation] [Messenger] MD5=8BDE1F61DFBAAE7A2916170E8B75FE0F SIZE=329240

%PROGRAMFILES%\Windows Live\Mail\mailcomm.dll [Microsoft Corporation] [Messenger] MD5=6A69BEDDD514F21B8A216B85EAF330B5 SIZE=858136

%PROGRAMFILES%\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe [Microsoft Corporation] [Windows Live Photo Gallery] MD5=86C67242AC4ADA2C20D0748157E3ED8C SIZE=227456

%PROGRAMFILES%\Windows Live\Photo Gallery\PhotoViewerShim.dll [Microsoft Corporation] [Windows Live Photo Gallery] MD5=024F4D95154039B2292F4B856A52AB7D SIZE=46112

%SYSDIR%\rundll32.exe "C:\Program Files\Windows Live\Photo Gallery\WLXPhotoViewer.dll",PhotoViewerComServer {2BE99FD4-A181-4996-BFA9-58C5FFD11F6C}

%SYSDIR%\rundll32.exe "C:\Program Files\Windows Live\Photo Gallery\WLXPhotoViewer.dll",PhotoViewerComServer {00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C}

%SYSDIR%\rundll32.exe "C:\Program Files\Windows Live\Photo Gallery\WLXPhotoViewer.dll",PhotoViewerComServer {00F374B7-B390-4884-B372-2FC349F2172B}

%PROGRAMFILES%\Zone Labs\ZoneAlarm\zlavscan.dll [Zone Labs, LLC] [zlavscan shell extension] MD5=386E2CFD312BE97B1AEC91C92CC95A1E SIZE=50664

%PROGRAMFILES%\Alwil Software\Avast4\ashShell.dll [ALWIL Software] [avast! Antivirus] MD5=ABD1D845FC1EA9BDACBFBB284AD3E974 SIZE=75128

%PROGRAMFILES%\WinRar\rarext.dll MD5=CBAA3D8FBD81C22834BE55FB7461CEC6 SIZE=121344

%PROGRAMFILES%\Microsoft Office\Office10\OLKFSTUB.DLL [Microsoft Corporation] [Microsoft Outlook] MD5=3756445FEBC6CBC90AFC22E5E38F7294 SIZE=54688

%SYSDIR%\DRIVERS\aswFsBlk.sys [ALWIL Software] [avast! Antivirus System] MD5=922C09ED986C31D6D4445DC937465103 SIZE=20560

%SYSDIR%\svchost.exe -k netsvcs

%SYSDIR%\drivers\CdaD10BA.SYS [Macrovision Europe Ltd] [Security Windows NT] MD5=841CEFAB8228EE691705D059E7F21C47 SIZE=12464

%SYSDIR%\DRIVERS\DcCam.sys [Eastman Kodak Company] [Kodak Digital Camera Driver] MD5=844A9B14E2799A2ADEC1F392E7407D72 SIZE=34938

%SYSDIR%\drivers\dcfs2k.sys [Eastman Kodak Company] [Kodak DC File System Driver (NT)] MD5=7CEF1CD1DC5C24208F196C36EB48A411 SIZE=36885

%SYSDIR%\svchost -k DcomLaunch

%SYSDIR%\Drivers\DgiVecp.sys [DeviceGuys, Inc.] [DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1] MD5=D514B430E2989F846137828C90370C16 SIZE=41984

%SYSDIR%\svchost.exe -k NetworkService

%SYSDIR%\svchost.exe -k HTTPFilter

%SYSDIR%\DRIVERS\klif.sys [Kaspersky Lab] [Kaspersky Anti-Virus] MD5=2CF7C3DD0102A32A680EF97F3B1C861A SIZE=127768

%SYSDIR%\DRIVERS\L8042pr2.Sys [Logitech, Inc.] [Logitech MouseWare(TM)] MD5=42DEC1FBCFA291720460705A8881A1C4 SIZE=51582

%SYSDIR%\svchost.exe -k LocalService

%SYSDIR%\DRIVERS\LMouFlt2.Sys [Logitech, Inc.] [Logitech MouseWare(TM)] MD5=26407519FCA64EC4091FE1F815B4AFC4 SIZE=70894

%SYSDIR%\DRIVERS\ltmdmnt.sys [Agere Systems] [Agere V.92 Data+Fax Modem Version 8.31] MD5=3070246FBA35AA2E0C2251D55F5848F8 SIZE=652689

%PROGRAMFILES%\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7

%SYSDIR%\svchost -k rpcss

%SYSDIR%\ZoneLabs\srescan.sys [Zone Labs, LLC] [srescanner] MD5=BDA0ECC7CBA1D3B9FD7FF2881BF9B463 SIZE=51176

%SYSDIR%\svchost.exe -k imgsvc

%SYSDIR%\drivers\ac97via.sys [VIA Technologies, Inc.] [VIA Audio WDM Driver] MD5=819BF44085104BE6527B86A88ACF856B SIZE=84480

%SYSDIR%\vsdatant.sys [Zone Labs, LLC] [TrueVector Device Driver] MD5=490EC3935775D740DB74C79EBBD1CBD9 SIZE=394952

%SYSDIR%\ZONELABS\vsmon.exe -service

%PROGRAMFILES%\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll [Microsoft Corporation] [Messenger] MD5=56319E6B4D190A2DEB4463A9CE4D4F74 SIZE=66072

-=
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Re: Posted for godivarides

Unread postby dan12 » June 27th, 2008, 1:42 pm

Thanks Pinney, things should start to improve once we get on top of the infection using combofix.
will await the report. :) Can appreciate it's hard being in the middle so to speak, we'll get there I'm sure.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby Piney » June 27th, 2008, 3:34 pm

I know it is getting late for you. Just received these from the victim:

OE removed access, stating it was unsafe! Combofix.exe Can this be zipped
or was it zipped?

I've printed the BC file instructions, and tried the other 2 websites -
can't access either - system just hangs, the geekstogo site just redirected
to 89.188.16.39, probably another popup ad.

Sandra

and
Hi Jo

Â

I'm at my friend's computer, my system is really hanging.

Â

I've logged into bleepingcomputer and created an ID and download combofix.exe and doesn't recognize it.

Â

Now confused.

Â

Sandra

Â



Â


I sent the tool not zipped, and should have told her to disable security in order to receive it :(

I have requested clarification of the last communication about "download combofix.exe and doesn't recognize it."

I also asked that she not access her banking stuff, contact her bank and tell them of the problem with her computer and have them initiate a change of password as well as flag the account to watch for possible fraud.

-----------------
addendum, seems she couldn't find Combofix from her friends computer by doing a search at BC and G2G. I've resent the link to the page.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Re: Posted for godivarides

Unread postby dan12 » June 27th, 2008, 4:02 pm

when she runs the tool Pinney, she needs to disable avast! whilst the scan is running.
If we get the combo log back, I can give some Instruction for the other malware programs running.
Not too late here at the moment :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby Piney » June 27th, 2008, 4:04 pm

I sent a separate email to tell her to do that, so we shall see.

Dan, thank you so much for helping out and for your kindness :)
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Re: Posted for godivarides

Unread postby Piney » June 27th, 2008, 11:15 pm

Latest from the victim:
Just wanted to update you! I copied SuperAntispyware from geekstogo when I
copied Combofix.

Once home, couldn't access anything, never mind the Recover module!

I closed everything off and decided to run the SuperAnti-spyware program.
It took 1.5 hours and found 28 viruses/trojans! Moved them all to the virus
chest and rebooted. I'm defragging my system and will run
SuperAnti-spyware again. Then I will try ComboFix.

I received NO EMAIL today outside of the few from you, I'm assuming my
regular email must have been rejected, far too few pieces for a normal day.

Looks like I lost some email addresses stored in address book, but I finally
got access to my hotmail account and the other sites requiring logins, like
the workopolis etc.

I'm very grateful for your help!! Even taking you away from your
housework!! I will keep you posted on the Combo fix as there's likely some
residual issues.

Can you suggest what anti-virus, anti-spyware to run? I'm surprised that
will all the programs I was running, nothing caught these trojans!

Finding SuperAnti-spyware was truly a blessing, thank you!

Sandra


In my reply I said:
I hesitate giving you any programs to run as we don't want to mess up Dan's cleaning of your machine.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 5:38 am

I will update this post soon for those that were following the thread.
I have been working with godivarides via email because of the problems she was having.
Regards dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:13 pm

First combofix report I received :)

ComboFix 08-06-20.4 - Sandra Miller 2008-06-27 23:12:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.52 [GMT -6:00]
Running from: C:\Documents and Settings\Sandra Miller\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sandra Miller\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM470d0d1a.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\bKTENXbc.ini
C:\WINDOWS\SYSTEM32\bKTENXbc.ini2
C:\WINDOWS\system32\fmfbhlag.ini
C:\WINDOWS\system32\isdlhplg.ini
C:\WINDOWS\system32\rvgjonnn.ini
C:\WINDOWS\system32\tgvnhyrf.ini
C:\WINDOWS\system32\wxIjlUvw.ini
C:\WINDOWS\SYSTEM32\wxIjlUvw.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.

2008-06-27 20:02 . 2002-08-29 06:00 132,608 --a------ C:\WINDOWS\SYSTEM32\fxsclntR.dll
2008-06-27 20:02 . 2002-08-29 06:00 132,608 --a------ C:\WINDOWS\SYSTEM32\dllcache\fxsclntr.dll
2008-06-27 20:01 . 2002-08-29 06:00 111,104 --a------ C:\WINDOWS\SYSTEM32\fxscfgwz.dll
2008-06-27 20:01 . 2002-08-29 06:00 111,104 --a------ C:\WINDOWS\SYSTEM32\dllcache\fxscfgwz.dll
2008-06-27 16:08 . 2008-06-27 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-27 16:01 . 2008-06-27 16:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-27 16:01 . 2008-06-27 16:01 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\SUPERAntiSpyware.com
2008-06-27 11:12 . 2008-06-27 11:12 103,424 --a------ C:\WINDOWS\SYSTEM32\vdsutw.dll
2008-06-27 11:12 . 2008-06-27 11:12 103,424 --a------ C:\WINDOWS\SYSTEM32\bvinbhui.dll
2008-06-27 10:49 . 2008-06-27 10:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-26 11:13 . 2008-06-26 11:13 106,496 --a------ C:\WINDOWS\SYSTEM32\rbolsdby.dll
2008-06-25 15:19 . 2008-06-25 15:19 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-25 15:16 . 2008-06-25 15:16 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-06-25 11:34 . 2008-06-25 11:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-25 11:32 . 2008-06-27 15:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 20:12 . 2008-06-24 20:12 99,840 --a------ C:\WINDOWS\SYSTEM32\waagihti.dll
2008-06-24 14:25 . 2008-06-24 14:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 23:08 . 2008-06-23 23:08 511 --a------ C:\WINDOWS\Canada
2008-06-23 19:42 . 2008-06-23 19:42 95 --a------ C:\WINDOWS\wininit.ini
2008-06-22 17:24 . 2004-11-13 13:37 6,301,096 --a------ C:\Program Files\Zuma Deluxe.exe
2008-06-11 01:16 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-05 13:49 . 2008-06-05 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-04 17:44 . 2008-06-04 17:50 <DIR> d-------- C:\Program Files\Winamp
2008-06-04 17:44 . 2008-06-04 18:13 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\Winamp
2008-06-03 17:02 . 2008-06-27 02:00 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-06-03 16:52 . 2008-06-27 22:57 <DIR> d-------- C:\Documents and Settings\Sandra Miller\Application Data\Spyware Terminator
2008-06-03 16:52 . 2008-06-27 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-06-03 16:52 . 2008-06-03 16:52 141,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sp_rsdrv2.sys
2008-06-03 16:51 . 2008-06-27 10:54 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-06-03 12:33 . 2008-06-24 15:57 <DIR> d-------- C:\Program Files\XoftSpySE
2008-06-02 21:29 . 2008-06-02 21:29 181 --a------ C:\WINDOWS\ACTPR.INI
2008-05-30 18:52 . 2008-06-24 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 05:25 148,920,352 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-28 05:22 --------- d-----w C:\Program Files\Plaxo
2008-06-28 05:19 1,746,164 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-27 21:12 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-06-26 18:09 311,296 ----a-w C:\WINDOWS\Internet Logs\xDB5A.tmp
2008-06-25 17:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-24 20:03 118,272 ----a-w C:\WINDOWS\Internet Logs\xDB57.tmp
2008-06-24 20:03 1,632,768 ----a-w C:\WINDOWS\Internet Logs\xDB58.tmp
2008-06-24 20:02 1,632,768 ----a-w C:\WINDOWS\Internet Logs\xDB59.tmp
2008-06-24 19:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-24 19:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 02:30 2,698,240 ----a-w C:\WINDOWS\Internet Logs\xDB56.tmp
2008-06-23 00:55 3,883,008 ----a-w C:\WINDOWS\Internet Logs\xDB54.tmp
2008-06-23 00:55 1,616,896 ----a-w C:\WINDOWS\Internet Logs\xDB55.tmp
2008-06-22 23:38 --------- d-----w C:\Documents and Settings\Sandra Miller\Application Data\uTorrent
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 20:24 --------- d-----w C:\Documents and Settings\Sandra Miller\Application Data\SpinTop
2008-06-05 20:16 --------- d-----w C:\Program Files\Safer Networking
2008-06-05 19:42 2,895,360 ----a-w C:\WINDOWS\Internet Logs\xDB53.tmp
2008-06-04 01:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 03:34 --------- d-----w C:\Program Files\ACT
2008-06-01 00:22 2,731,520 ----a-w C:\WINDOWS\Internet Logs\xDB52.tmp
2008-05-29 16:41 1,644,032 ----a-w C:\WINDOWS\Internet Logs\xDB51.tmp
2008-05-28 16:00 1,567,744 ----a-w C:\WINDOWS\Internet Logs\xDB50.tmp
2008-05-28 00:50 2,888,704 ----a-w C:\WINDOWS\Internet Logs\xDB4F.tmp
2008-05-25 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-21 09:30 976,896 ----a-w C:\WINDOWS\Internet Logs\xDB4E.tmp
2008-05-20 17:56 2,581,504 ----a-w C:\WINDOWS\Internet Logs\xDB4D.tmp
2008-05-20 16:15 3,046,912 ----a-w C:\WINDOWS\Internet Logs\xDB4C.tmp
2008-05-18 19:52 --------- d-----w C:\Program Files\Alwil Software
2008-05-16 17:58 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-04-29 17:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 17:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 17:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-24 04:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2008-04-16 15:36 1,045,504 ----a-w C:\WINDOWS\Internet Logs\xDB4B.tmp
2008-04-04 02:13 1,508,864 ----a-w C:\WINDOWS\Internet Logs\xDB4A.tmp
2008-03-31 17:22 1,508,352 ----a-w C:\WINDOWS\Internet Logs\xDB49.tmp
2008-03-31 17:10 3,075,072 ----a-w C:\WINDOWS\Internet Logs\xDB48.tmp
2008-03-16 21:26 0 ----a-w C:\Program Files\temp01
2000-11-01 22:51 271 --sha-w C:\Program Files\desktop.ini
2000-08-16 00:25 257,636 ----a-w C:\Program Files\TBM313.TMP
2000-08-16 00:25 252,384 ----a-w C:\Program Files\TBM315.TMP
1998-12-11 10:05 74,336 ----a-w C:\Program Files\casmira_.TTF
1998-12-02 16:33 10,212 ----a-w C:\Program Files\MSCAPE_0.TTF
1998-12-02 16:33 10,212 ----a-w C:\Program Files\MSCAPE.TTF
1998-11-12 14:18 155,528 ----a-w C:\Program Files\BKANT.TTF
1998-11-12 14:18 151,000 ----a-w C:\Program Files\ANTQUAB.TTF
1998-11-12 14:18 150,416 ----a-w C:\Program Files\ANTQUABI.TTF
1998-11-12 14:18 149,092 ----a-w C:\Program Files\ANTQUAI.TTF
1998-11-10 20:52 157,360 ----a-w C:\Program Files\MTCORSVA.TTF
1998-11-04 23:30 162,460 ----a-w C:\Program Files\BOOKOSBI.TTF
1998-11-04 23:30 160,940 ----a-w C:\Program Files\BOOKOS.TTF
1998-11-04 23:30 160,920 ----a-w C:\Program Files\BOOKOSI.TTF
1998-11-04 23:30 154,576 ----a-w C:\Program Files\BOOKOSB.TTF
1998-07-30 04:31 58,088 ----a-w C:\Program Files\Trendy__.TTF
1998-07-30 04:30 51,668 ----a-w C:\Program Files\Radagund.TTF
1998-07-30 04:30 48,508 ----a-w C:\Program Files\Openc___.TTF
1998-07-30 04:29 60,156 ----a-w C:\Program Files\Microdot.TTF
1998-07-30 04:28 54,540 ----a-w C:\Program Files\Mandela_.TTF
1998-07-30 04:28 38,944 ----a-w C:\Program Files\Realv___.TTF
1998-07-30 04:27 52,336 ----a-w C:\Program Files\Shelman_.TTF
1998-07-30 04:26 57,976 ----a-w C:\Program Files\Natur___.TTF
1998-07-30 04:25 64,916 ----a-w C:\Program Files\Pretext_.TTF
1998-07-30 04:25 44,876 ----a-w C:\Program Files\Puppy___.TTF
1998-07-30 04:24 46,212 ----a-w C:\Program Files\Neolith_.TTF
1998-07-30 04:23 61,272 ----a-w C:\Program Files\Matte___.TTF
1998-07-30 04:21 49,960 ----a-w C:\Program Files\Genuine_.TTF
1998-07-30 04:20 63,596 ----a-w C:\Program Files\Alibi___.TTF
1998-07-30 04:18 72,060 ----a-w C:\Program Files\Ellis___.TTF
1998-07-30 04:17 77,384 ----a-w C:\Program Files\Herman__.TTF
1998-07-30 04:17 58,116 ----a-w C:\Program Files\Excess__.TTF
1998-07-30 04:16 104,864 ----a-w C:\Program Files\Isabelle.TTF
1998-07-30 04:15 65,852 ----a-w C:\Program Files\Joan____.TTF
1998-07-30 04:14 63,124 ----a-w C:\Program Files\Helte___.TTF
1998-07-30 04:13 37,180 ----a-w C:\Program Files\Elegance.TTF
1998-07-30 04:10 45,268 ----a-w C:\Program Files\Batavia_.TTF
1998-07-30 04:08 71,068 ----a-w C:\Program Files\Justice_.TTF
1998-07-30 04:02 47,688 ----a-w C:\Program Files\Absalom_.TTF
1998-05-28 21:38 141,328 ----a-w C:\Program Files\ARIALNI.TTF
1998-05-28 21:38 139,056 ----a-w C:\Program Files\ARIALNB.TTF
1998-05-28 21:38 138,468 ----a-w C:\Program Files\ARIALNBI.TTF
1998-05-28 21:38 134,188 ----a-w C:\Program Files\ARIALN.TTF
1998-05-21 19:30 198,540 ----a-w C:\Program Files\GARABD.TTF
1998-05-21 19:30 196,588 ----a-w C:\Program Files\GARA.TTF
1998-05-21 19:30 188,916 ----a-w C:\Program Files\GARAIT.TTF
1998-01-08 23:26 10,028 ----a-w C:\Program Files\OUTLOOK.TTF
1997-10-24 22:42 65,544 ----a-w C:\Program Files\ARBLI___.TTF
1997-03-18 06:49 69,408 ----a-w C:\Program Files\Elepbi__.ttf
1997-03-18 06:49 69,132 ----a-w C:\Program Files\Jolti___.ttf
1997-03-18 06:49 66,652 ----a-w C:\Program Files\Elepi___.ttf
1997-03-18 06:49 65,692 ----a-w C:\Program Files\Vogei___.ttf
2006-12-14 14:04 56 --sh--r C:\WINDOWS\SYSTEM32\876B465C25.sys
2007-05-27 17:49 1,890 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.
Code: Select all
<pre>
----a-w            69,632 2001-11-25 08:42:10  C:\Backup\H\Documents and Settings\Sandra\My Documents\My Place\digin\SMS\PROGRAM\PasswordVisible2002\password visible2002 .exe
----a-w            69,632 2001-11-25 08:42:10  C:\Documents and Settings\Sandra Miller\My Documents\MD Jan 2004\digin\SMS\PROGRAM\PasswordVisible2002\password visible2002 .exe
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F3FACB7-2681-4131-9E38-8169242B6B2D}]
C:\WINDOWS\system32\cbXNETKb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56115928-FDE3-419A-9E0A-0371CCCE012A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EE19CA6-B6AF-4765-AFEA-639CBBEF2768}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9cb6eb86-14d3-4934-8e2a-a0d087c26635}]
2008-06-27 11:12 103424 --a------ C:\WINDOWS\system32\vdsutw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"PlaxoUpdate"="C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe" [2004-12-03 16:20 116736]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 10:50 20992 C:\WINDOWS\LOGI_MWX.EXE]
"Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2006-10-19 20:53 393216]
"APL"="C:\Program Files\ACT\ACT for Win 7\APL.exe" [2005-05-24 14:42 20480]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 12:41 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07 69632]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-06-03 16:52 1817600]
"443e3e86"="C:\WINDOWS\system32\fryhnvgt.dll" [ ]
"BM470d0d1a"="C:\WINDOWS\system32\ytulccqx.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 17:20]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-06-03 16:52]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 17:16]
R2 MSSQL$ACT7;MSSQL$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe [2003-05-31 19:02]
S3 ATE_PROCMON;ATE_PROCMON;C:\Program Files\Anti Trojan Elite\ATEPMon.sys []
S3 DrvFltIp;DrvFltIp;C:\Program Files\MRBDG\DrvFltIp.sys []
S3 SQLAgent$ACT7;SQLAgent$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 UsbFltr;WayTech USB Filter Driver;C:\WINDOWS\system32\Drivers\UsbFltr.sys [2004-05-13 17:14]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
S4 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2007-08-08 17:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-27 16:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-06-27 13:00:00 C:\WINDOWS\Tasks\SpyHunter Scanner.job"
- C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"2008-06-28 02:12:06 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-06-25 09:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 23:23:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\DRIVERS\dcfssvc.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\SYSTEM32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-27 23:34:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-28 05:34:31

Pre-Run: 47,869,923,328 bytes free
Post-Run: 47,796,768,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

280 --- E O F --- 2008-06-28 00:33:59
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:15 pm

Returned HJT log :)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:25 PM, on 27/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telus.net/set_region.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {0F3FACB7-2681-4131-9E38-8169242B6B2D} - C:\WINDOWS\system32\cbXNETKb.dll (file missing)
O2 - BHO: (no name) - {56115928-FDE3-419A-9E0A-0371CCCE012A} - (no file)
O2 - BHO: (no name) - {8EE19CA6-B6AF-4765-AFEA-639CBBEF2768} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {53662c78-0d0a-a2e8-4394-3d4168be6bc9} - {9cb6eb86-14d3-4934-8e2a-a0d087c26635} - C:\WINDOWS\system32\vdsutw.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [443e3e86] rundll32.exe "C:\WINDOWS\system32\fryhnvgt.dll",b
O4 - HKLM\..\Run: [BM470d0d1a] Rundll32.exe "C:\WINDOWS\system32\ytulccqx.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} (PrinterHelpEtcActiveX Control) - http://dev.imagingworld.co.kr/printerhe ... rinter.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F7A11C3-E76A-4E31-8BC2-D85744CF4B8F}: NameServer = 75.154.132.68,75.154.132.100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 8625 bytes
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Posted for godivarides

Unread postby dan12 » July 1st, 2008, 3:22 pm

Hi, godivarides, well done, I can work from that, will look over it later today as I said I'm out most of the day. Will get back to you via this email later,limit your use on the internet for now.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 280 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware